The Green Sheet Online Edition

April 27, 2015 • Issue 15:04:02

Authenticate to be positive

Faced with the prospect of unrelenting cyber-attacks, and the card fraud attempts that inevitably follow, financial institutions and payments companies are ramping up investments in systems and services that can help to better authenticate customers and the cards and devices they use to make payments.

The latest indication is that five of the largest banks in the country, through a consortium known as Early Warning Services LLC, have acquired Authentify Inc., a leading provider of phone-based, multifactor authentication to financial institutions and e-commerce companies worldwide. It was followed by news that Early Warning had entered a strategic alliance with BioCatch Ltd., which specializes in behavioral biometrics, authentication and malware detection. Combined with the equity investment Early Warning made two years ago in Payfone Inc., which specializes in mobile authentication, the latest deals position Early Warning to offer all manner of digital multifactor authentication services and the ability to integrate, manage and prioritize multiple authentication procedures on a single platform, the company said.

Multifactor authentication refers to security protocols that rely on multiple sources and methods for authenticating individuals, cards and devices. So, for example, a financial institution using Early Warning to authenticate a new customer, or a customer transaction, can now benefit from intelligence that integrates behavioral analytics with the ability to authenticate consumers, their mobile devices, and their banking and payment activities. If the transaction is a card payment, it might also be subject to the card brands' authentication programs, Verified by Visa and MasterCard SecureCode, generically known as 3D Secure.

Early Warning was born from a check authorization network (known as SCAN), developed by the Star EFT network, which is now part of First Data Corp. Today, Early Warning's owners, combined, control nearly 80 percent of demand deposit (checking) accounts in the country. It counts as clients 1,100 financial institutions, government entities and payments companies. The owner banks are: Bank of America Corp., Branch Banking and Trust Co., Capital One, JPMorgan Chase and Wells Fargo. Early Warning also hosts a digital channels advisory committee with representatives from other large financial institutions, including Citicorp and USAA.

"We're not just solving problems at the individual level for financial institutions," explained Michael Toth, Vice President, Product Management, Digital Channels, at Early Warning. "We're looking across the industry."

This is a major change in an industry like financial services where competition and other concerns have limited interest in things like shared data bases. But it has been necessitated by the changing nature of commerce and growing fraud threats. "We need to change the way we address the problem," said Craig Priess, Founder and Vice President of Guardian Analytics Inc., in a presentation at the BAI Payments Connect conference in March. "You need a deep history of interactions to better understand relationships and behaviors and to identify potential problems."

Authentication always has been an underlying component of payment authorization. Historically, authenticating a card payment meant ensuring the numbers on the card were legitimate (authentic) and not just a string of meaningless digits. Over the years, several companies have experimented with more sophisticated approaches, although none succeeded in gaining traction. Pay-by-Touch was one such venture. As the name implied, consumers would swipe their fingers across a POS scanner to initiate payments at stores. Whole Foods Market was a client. Pay-by-Touch was ahead of its time; it never gained much traction.

Today, ongoing adoption of mobile and online payments, the upcoming switch to the EMV (Europay, MasterCard and Visa) security protocol and the iPhone 6 with Apple Pay (which reintroduced finger scans) are pushing the market in new directions.

In addition to Apple, for example, UK-based Barclays Bank also introduced a new biometric finger reading device in late 2014 to replace passwords and PINs for online customers. The device uses infrared lights to scan the blood flow in a customer's finger. Other biometric authentication methods being tested and/or adopted to varying degrees by banks include iris scanning, voice recognition and facial recognition.

Authentication can also be applied to devices. For example, many banks and solutions providers use geolocation data to authenticate mobiles and the customers using them. This method employs GPS technologies to determine where the mobile device is located and compares that to a customer's IP address information. The technology can even be used to block transactions originating from a pre-defined list of IP addresses or countries.

"Mobility changes everything," said R. "Doc" Vaidhyanathan, Vice President, Product Management, Digital Payments, at the security firm CA Technologies. This especially applies to loss considerations. The latest LexisNexis True Cost of Fraud Study, published in January 2015, revealed that not only are merchants losing more money because of online fraud, but mobile fraud is the most costly. The all-in cost for mobile fraud is $3.34 per dollar of fraud losses compared to $3.08 for other channels such as MO/TO sales, LexisNexis reported.

While it may seem a bit out of place now, using mobile devices to authenticate and secure consumer payments is poised to be both common and user friendly, Vaidhyanathan said. That's because mobiles can be used to authenticate with, authenticate to and authenticate through. Plus, most people have their mobiles always at the ready.

The problem for financial institutions and payment companies is that traditional fraud fighting tools and procedures don't work well in a mobile environment. "They're trying to adopt traditional controls for this space, and a lot of those things just don't make sense," Toth said. And it can create a "worse customer experience." An e-commerce provider, for example, may require one-time passwords to authenticate customers. But that can create a lot of friction for a customer who is using his or her smartphone to shop.

"There's a wealth of information available out there" that can improve authentication in a mobile environment, Toth said. BioCatch, for example, can track cognitive digital signatures, such as how a device is held or swiped; Payfone, meanwhile, provides access to intelligence on 297 million wireless customers, Toth added.

Merchants in the dark?

While this bodes well for financial institutions, recent reports suggest merchants' perceptions about fraud, especially mobile fraud, are not keeping pace with reality. For example, the security firm Kount Inc. reported that most of the 2,000 merchants worldwide it recently polled consider the mobile channel equally or less risky than traditional e-commerce (58.8 percent combined). That number is higher than was the case in 2013, when just 49.2 percent of the surveyed merchants responded that the mobile channel is no more risky than traditional e-commerce.

On the other hand, about 10 percent fewer merchants consider mobile commerce somewhat or far riskier than traditional e-commerce, according to the 2015 Mobile Payments & Fraud Survey. This was the third year Kount, working with CardNotPresent.com and The Fraud Practice LLC, surveyed merchant attitudes on mobile payments and fraud.

"The data shows that the industry as a whole is further behind on mobile adoption and fraud protection than they were a year ago, and in fact, some are even pulling back," said Don Bush, Vice President of Marketing at Kount. "It seems everybody knows that mobile is poised to make an impact, but the urgency to make sure mobile fraud protection is in place is lacking."

Mass merchants are more likely to be able to identify mobile devices by type.

Gaming and social sites are the only category of merchants than can identify all transactions coming from mobile devices, but only 25 percent can determine the device type.

Just 39.4 percent of merchants track fraud by channel and differentiate mobile fraud from other e-commerce fraud.

Better than a quarter (28.4 percent) have no plans to add new tools or services to combat mobile channel fraud.

Just 23.7 percent of the surveyed merchants accept mobile wallets. PayPal is the dominant form of mobile payment accepted, at 54 percent.

Merchant adoption of 3D Secure authentication methods – like Verified by Visa and MasterCard SecureCode – has been equally lackluster. Results of recent surveys by CardinalCommerce and The Fraud Practice indicate that just 43 percent of merchants use these programs. Not surprisingly, midsize and larger merchants are more likely than are smaller merchants to employ 3D Secure. Even among merchants who earn half or more of their revenues from card-not-present (CNP) transactions, just 54 percent use these authentication tools, CardinalCommerce reported.

New approaches in the works

Many experts warn that the need for sophisticated authentication tools will increase as more U.S. merchants and card issuers embrace EMV and more fraud moves to CNP environments. "It's a huge concern," said Jim Pitts, Project Manager for Technology Risk at BITS, the technology policy division of the Financial Services Roundtable. Anne Fairchild, Director of EMV Product Management at First Data, agreed, adding, "Everyone seems to be behind the eight ball."

CNP fraud is no small matter. According to Aite Group LLC, 16 percent of card fraud losses in 2013 came from CNP transactions. The Federal Reserve reported in its latest retail payments survey (which covered 2012) that CNP fraud occurred three times more often than did card-present fraud.

"The rise in popularity of mobile wallets has highlighted the challenges issuers face in managing fraud risk within this new channel," said Nandan Sheth, President and Chief Operating Officer at Acculynk. Acculynk operates an authentication gateway for merchants and processors and has developed a software-based scrambling PIN pad that can be used to authenticate customers at the point of account entry, or it can be fine-tuned to kick in for use only with high-risk transactions.

Given that merchant adoption of EMV is only expected to increase as the October 2015 liability shift looms, time is of the essence for all stakeholders to reinforce authentication in the CNP arena.

SIDE NOTE:Fed details consumer smartphone use for payments, banking

Today most adults in the United States (87 percent) have mobile phones, and 71 percent of those devices are smartphones, according to Consumers and Mobile Financial Services 2015. The report, the fourth in as many years from the Federal Reserve Board, revealed that as of December 2014, 39 percent of mobile phone customers had used those devices for mobile banking activities, such as checking balances, transferring money between accounts and depositing checks – up from 33 percent the year before.
The use of mobile phones for payments was also up; 22 percent of mobile phone users reported using those devices to make payments in 2014, compared with 17 percent in 2013, the Fed reported. Among smartphone users, the trend is even more pronounced: 28 percent of this group reported making mobile payments in 2014, up from 22 percent the year before. The Fed said that 39 percent of smartphone users reported making POS payments using those devices in 2014. Among consumers who made POS payments with their smartphones last year, 31 percent did so by scanning a barcode or quick response code displayed on their phone screen at the checkout, while just 14 percent used near field communication, tap-and-pay methods.

The Fed's data also points to several geographic and demographic trends in the use of mobile devices for banking and payments. For example, residents of rural communities are less likely to use the mobile channel to bank or make payments than are residents of more densely populated regions.

Not surprisingly, younger consumers are more apt to use their smartphones for banking and payments. Among those 18 to 29 years old, 34 percent made mobile payments in 2014, up from 28 percent in 2013. The 30 to 44 year old age group was only slightly less inclined at 31 percent, up from 21 percent a year earlier. Among 45 to 59 year olds just 16 percent made mobile payments in 2014, the Fed reported.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.